Greg, I can see the issue. DFix never checks for the string "dovecot:
pop3-login: Disconnected.*rip=". Do I need to add that to DFix?
Also, before you made it a package installed through the GUI, I was able to
add the list of AOL's mail servers to the GOODIP list manually. How can I
do that now without having to manually update the script every time you send
out an update? Is there an external configuration file the good IPs can go
into?
> -----Original Message-----
> From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.com]
> Sent: Friday, August 14, 2009 11:44 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:15885] Re: Block Hacker IP from BQ and BX Server
>
> It happened again this morning:
>
> Aug 14 04:14:33 www dovecot: pop3-login: Disconnected: user=<admin>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
> Aug 14 04:14:33 www dovecot: pop3-login: Disconnected: user=<root>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
> Aug 14 04:14:33 www dovecot: pop3-login: Disconnected: user=<stud>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
> Aug 14 04:14:35 www dovecot: pop3-login: Disconnected: user=<trash>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
> Aug 14 04:14:35 www dovecot: pop3-login: Disconnected: user=<gt05>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
> Aug 14 04:14:35 www dovecot: pop3-login: Disconnected: user=<aaron>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
> Aug 14 04:14:37 www dovecot: pop3-login: Disconnected: user=<william>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
> Aug 14 04:14:37 www dovecot: pop3-login: Disconnected: user=<stephanie>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
> Aug 14 04:14:37 www dovecot: pop3-login: Disconnected: user=<root>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
> Aug 14 04:14:39 www last message repeated 4 times
> ...
> Aug 14 05:06:51 www dovecot: pop3-login: Disconnected: user=<guravlev>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
> Aug 14 05:06:51 www dovecot: pop3-login: Disconnected: user=<tikhomirov>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
> Aug 14 05:06:51 www dovecot: pop3-login: Disconnected: user=<lex>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
> Aug 14 05:06:53 www dovecot: pop3-login: Disconnected: user=<kuznetsov>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
> Aug 14 05:06:53 www dovecot: pop3-login: Disconnected: user=<s2a>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
> Aug 14 05:06:53 www dovecot: pop3-login: Disconnected: user=<kotov>,
> method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
> Aug 14 05:06:53 www dovecot: pop3-login: Disconnected: method=PLAIN,
> rip=213.92.11.165, lip=208.77.219.99
>
> They finally gave up after 45 minutes of hammering the server.
>
> DFix never even grunted...
>
>
> > -----Original Message-----
> > From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.com]
> > Sent: Wednesday, August 12, 2009 5:48 PM
> > To: coba-e (at mark) bluequartz.org
> > Subject: [coba-e:15881] Re: Block Hacker IP from BQ and BX Server
> >
> > > -----Original Message-----
> > > From: Greg Kuhnert [mailto:greg.kuhnert (at mark) theanchoragesylvania.com]
> > > Sent: Wednesday, August 12, 2009 5:28 PM
> > > To: coba-e (at mark) bluequartz.org >> BQ List
> > > Subject: [coba-e:15880] Re: Block Hacker IP from BQ and BX Server
> > >
> > > There has been a dovecot log format changes recently. I sent a post to
> > > the list advising all users to upgrade to the most recent version.
> Older
> > > versions will not block brute force attacks.
> > >
> > > To check your dfix version from a shell - enter the command
> > >
> > > rpm -qa dfix
> > >
> > > If you are up to date, it will return dfix-9-1
> > >
> > > Regards,
> > > Greg.
> >
> > It said:
> >
> > [root@www ~]# rpm -qa dfix
> > warning: only V3 signatures can be verified, skipping V4 signature
> > dfix-9-1